xgqfrms™, xgqfrms® : xgqfrms's offical website of cnblogs! xgqfrms™, xgqfrms® : xgqfrms's offical website of GitHub!

Fetch & Headers & CSRF All In One

Fetch & Headers & CSRF All In One

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#Headers

X-Custom-Header

const myHeaders = new Headers();

myHeaders.append('Content-Type', 'text/plain');
myHeaders.append('X-Custom-Header', 'ProcessThisImmediately');

const content = 'Hello World';
myHeaders.append('Content-Length', content.length.toString());

// The same can be achieved by passing an array of arrays or an object literal to the constructor:

const myHeaders = new Headers({
  'Content-Type': 'text/plain',
  'Content-Length': content.length.toString(),
  'X-Custom-Header': 'ProcessThisImmediately'
});

CSRF

  headers: {
    "Content-Type": "application/json",
    "x-csrf-token": csrftoken,
    // .setRequestHeader('x-csrf-token', csrftoken);
  },

CSRF 攻击:伪造用户请求向网站发起恶意请求

message: "invalid csrf token"

https://eggjs.org/zh-cn/core/security.html#安全威胁csrf的防范

https://eggjs.org/zh-cn/core/security.html#安全威胁-csrf-的防范

// CSRF

// config/config.default.js
// module.exports = {
//   security: {
//     csrf: {
//       ignoreJSON: true, // 默认为 false,当设置为 true 时,将会放过所有 content-type 为 `application/json` 的请求
//     },
//   },
// };
config.security = {
  csrf: {
    enable: false,
  },
};

demos

text


const url = `http://localhost:7001/product/create`;
const json = { id: '123', name: 'admin' };

const csrftoken = document.cookie.split(';').map(item => item.trim()).map(item => ({[item.split(`=`)[0]]: item.split(`=`)[1]})).filter(obj => obj.csrfToken)[0].csrfToken;;

fetch(url, {
  headers: {
    "Content-Type": "application/json",
    "x-csrf-token": csrftoken,
    // .setRequestHeader('x-csrf-token', csrftoken);
  },
  // credentials: "same-origin",// cookie
  method: "POST",
  // mode: "cors",
  body: JSON.stringify(json),
})
.then(res => res.text())
// .then(res => res.json())
.then(json => {
  console.log(`text =`, json);
  // console.log(`json =`, JSON.stringify(json, null, 4));
  return json;
})
.catch(err => console.error(`error =`, err));

(🐞 反爬虫测试!打击盗版⚠️)如果你看到这个信息, 说明这是一篇剽窃的文章,请访问 https://www.cnblogs.com/xgqfrms/ 查看原创文章!

POST

JSON

const url = `http://localhost:7001/product/create`;
const json = { id: '123', name: 'admin' };

const csrftoken = document.cookie.split(';').map(item => item.trim()).map(item => ({[item.split(`=`)[0]]: item.split(`=`)[1]})).filter(obj => obj.csrfToken)[0].csrfToken;;


fetch(url, {
  headers: {
    "Content-Type": "application/json",
    "x-csrf-token": csrftoken,
  },
  credentials: "include",// cookie
  method: "POST",
  mode: "cors",
  body: JSON.stringify(json),
})
// .then(res => res.text())
.then(res => res.json())
.then(json => {
//   console.log(`text =`, json);
  console.log(`json =`, JSON.stringify(json, null, 4));
  return json;
})
.catch(err => console.error(`error =`, err));

Promise {<pending>}
VM13893:15 json = {
    "id": "123",
    "name": "admin"
}

cURL

$ curl 'http://localhost:7001/product/create' \
  -H 'Connection: keep-alive' \
  -H 'DNT: 1' \
  -H 'x-csrf-token: Lg_TzQXsAh7Rk27ztpzl3gYs' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4137.0 Safari/537.36' \
  -H 'Content-Type: application/json' \
  -H 'Accept: */*' \
  -H 'Origin: http://localhost:7001' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Referer: http://localhost:7001/product/create\
  -H 'Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'Cookie: csrfToken=Lg_TzQXsAh7Rk27ztpzl3gYs; sensorsdata2015jssdkcross=%7B%22distinct_id%22%3A%22171319a1aef2f3-088239ecd3d0f5-6a3f0f7b-1764000-171319a1af0b4c%22%2C%22first_id%22%3A%22%22%2C%22props%22%3A%7B%22%24latest_traffic_source_type%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%2C%22%24latest_search_keyword%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%2C%22%24latest_referrer%22%3A%22url%E7%9A%84domain%E8%A7%A3%E6%9E%90%E5%A4%B1%E8%B4%A5%22%7D%2C%22%24device_id%22%3A%22171319a1aef2f3-088239ecd3d0f5-6a3f0f7b-1764000-171319a1af0b4c%22%7D' \
  --data-binary '{"id":"123","name":"admin"}' \
  --compressed

refs



©xgqfrms 2012-2021

www.cnblogs.com/xgqfrms 发布文章使用:只允许注册用户才可以访问!

原创文章,版权所有©️xgqfrms, 禁止转载 🈲️,侵权必究⚠️!


posted @ 2020-05-09 22:15  xgqfrms  阅读(637)  评论(1编辑  收藏  举报